github.com/argoproj/argo-cd@v1.8.7/docs/operator-manual/user-management/google.md

github.com/argoproj/argo-cd@v1.8.7/docs/operator-manual/user-management/google.md (about)

     1  # Google
     2  
     3  * [G Suite SAML App Auth using Dex](#g-suite-saml-app-auth-using-dex)
     4  
     5  Once you've set up one of the above integrations, be sure to edit `argo-rbac-cm` to configure permissions (as in the example below). See [RBAC Configurations](../rbac.md) for more detailed scenarios.
     6  
     7  ```yaml
     8  apiVersion: v1
     9  kind: ConfigMap
    10  metadata:
    11    name: argocd-rbac-cm
    12    namespace: argocd
    13  data:
    14    policy.default: role:readonly
    15  ```
    16  
    17  ## G Suite SAML App Auth using Dex
    18  
    19  ### Configure a new SAML App
    20  
    21  1. In the [Google admin console](https://admin.google.com), open the left-side menu and select `Apps` > `SAML Apps`
    22  
    23      ![Google Admin Apps Menu](../../assets/google-admin-saml-apps-menu.png "Google Admin menu with the Apps / SAML Apps path selected")
    24  
    25  2. Under `Add App` select `Add custom SAML app`
    26  
    27      ![Google Admin Add Custom SAML App](../../assets/google-admin-saml-add-app-menu.png "Add apps menu with add custom SAML app highlighted")
    28  
    29  3. Enter a `Name` for the application (eg. `Argo CD`), then choose `Continue`
    30  
    31      ![Google Admin Apps Menu](../../assets/google-admin-saml-app-details.png "Add apps menu with add custom SAML app highlighted")
    32  
    33  4. Download the metadata or copy the `SSO URL`, `Certificate`, and optionally `Entity ID` from the identity provider details for use in the next section. Choose `continue`.
    34      - Base64 encode the contents of the certificate file, for example:
    35      - `$ cat ArgoCD.cer | base64`
    36      - *Keep a copy of the encoded output to be used in the next section.*
    37  
    38      ![Google Admin IdP Metadata](../../assets/google-admin-idp-metadata.png "A screenshot of the Google IdP metadata")
    39  
    40  5. For both the `ACS URL` and `Entity ID`, use your Argo Dex Callback URL, for example: `https://argocd.example.com/api/dex/callback`
    41  
    42      ![Google Admin Service Provider Details](../../assets/google-admin-service-provider-details.png "A screenshot of the Google Service Provider Details")
    43  
    44  6. Finish creating the application.
    45  
    46  ### Configure Argo to use the new Google SAML App
    47  
    48  Edit `argo-cm` and add the following `dex.config` to the data section, replacing the `caData`, `argocd.example.com`, `sso-url`, and optionally `google-entity-id` with your values from the Google SAML App:
    49  
    50  ```yaml
    51  data:
    52    url: https://argocd.example.com
    53    dex.config: |
    54      connectors:
    55      - type: saml
    56        id: saml
    57        name: saml
    58        config:
    59          ssoURL: https://sso-url (eg. https://accounts.google.com/o/saml2/idp?idpid=Abcde0)
    60          entityIssuer: https://argocd.example.com/api/dex/callback
    61          caData: |
    62            BASE64-ENCODED-CERTIFICATE-DATA
    63          redirectURI: https://argocd.example.com/api/dex/callback
    64          usernameAttr: name
    65          emailAttr: email
    66          # optional
    67          ssoIssuer: https://google-entity-id (e.g. https://accounts.google.com/o/saml2?idpid=Abcde0)
    68  ```
    69  
    70  ### References
    71  
    72  - [Dex SAML connector docs](https://dexidp.io/docs/connectors/saml/)
    73  - [Google's SAML error messages](https://support.google.com/a/answer/6301076?hl=en)